Conjur Ansible Lookup Plugin and SSH Key File

Hi there,

I would like to know if anyone already managed to use the conjur-variable lookup plugin from the cyberark.conjur collection to fetch SSH Keys.

Use case: I’d like Ansible AWX to fetch SSH Keys (Managed inside CyberArk Vault) from CyberArk DAP/Conjur to connect to an Ansible dynamic inventory.

Option 1: using CyberArk Conjur Secret Lookup Credential Type and Machine Credential Type
It works fine but does not allow to parameterize the secret id given the hostname of the inventory host being configured.

Option 2 : using Job Template extra vars, Custom credential type and conjur-variable Lookup Plugin
it works fine with SSH

Custom credential type definition:

Input Configuration:

  - id: conjur_account
    type: string
    label: Organization Name in Conjur
  - id: conjur_version
    type: string
    label: Conjur Version
  - id: conjur_url
    type: string
    label: URL to Conjur Service
  - id: conjur_cert
    type: string
    multiline: true  
  - id: conjur_authn_login
    type: string
    label: Host Login
  - id: conjur_authn_api_key
    type: string
    label: Host API Key
    secret: true
  - conjur_account
  - conjur_url
  - conjur_authn_login
  - conjur_authn_api_key

Injector Configuration:

  CONJUR_CONFIG_FILE: '{{ tower.filename.conf }}'
  CONJUR_IDENTITY_FILE: '{{ tower.filename.identity }}'
  CONJUR_CERT_FILE: '{{ tower.filename.cert }}'
  template.conf: |-
    "appliance_url": "{{ conjur_url }}",
    "account": "{{ conjur_account }}"
  template.identity: "machine {{ conjur_url }}/authn\n\tlogin {{ conjur_authn_login }}\n\tpassword {{ conjur_authn_api_key }}"
  template.cert: "{{ conjur_cert }}"

Extra vars:

ansible_user: 'cloud-user'
ansible_password: "{{ lookup('conjur_variable', 'Vault/Cloud_Automation/CYBR_Unix_Cloud_Users/CYBR_UnixSSH-' + inventory_hostname + '-' + ansible_user + '/password') }}"

While it works like a charm with ansible_password (using SSH passwords) it does not work with SSH Keys.

ansible_ssh_pass and ansible_ssh_private_key_file don’t work.

Any ideas/comments?

Any help will be appreciated,

Many Thanks,


This PR: should solve this.
It will allow to parameterize the SSH Key retrieved from CyberArk based on the inventory hostname without the need to modify playbooks.
The Key is fetched from Conjur/DAP

Thanks jcosteatcyberark for the contribution :slight_smile:


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.